Bug 903371

Summary: Selinux blocks gdm/Xorg from starting x11vnc
Product: Red Hat Enterprise Linux 6 Reporter: Stuart Newman <stuart.j.newman>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Michal Trunecka <mtruneck>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.3CC: dwalsh, ebenes, lnovich, mmalik, mtruneck
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-210.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-21 10:15:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stuart Newman 2013-01-23 20:20:07 UTC
Description of problem:Selinux blocks gdm/Xorg from starting x11vnc


Version-Release number of selected component (if applicable):3.7.19-155.el6_3.14


How reproducible:always


Steps to Reproduce:
1. Add the line 
    /usr/local/bin/x11vnc -rfbauth /path/to/the/vnc/passwd -o /var/log/x11vnc.log
-forever -bg
before the "exit 0" in /etc/gdm/Init/Default
2.reboot the system
3.cat /var/log/x11vnc.log to see the error
  
Actual results:
23/01/2013 17:17:56 passing arg to libvncserver: -rfbauth
23/01/2013 17:17:56 passing arg to libvncserver: /etc/x11vnc.passwd
23/01/2013 17:17:56 x11vnc version: 0.9.13 lastmod: 2011-08-10  pid: 1823
23/01/2013 17:17:56 Using X display :0
23/01/2013 17:17:56 rootwin: 0x102 reswin: 0x400001 dpy: 0x2147240
23/01/2013 17:17:56
23/01/2013 17:17:56 ------------------ USEFUL INFORMATION ------------------
23/01/2013 17:17:56
23/01/2013 17:17:56 Wireframing: -wireframe mode is in effect for window moves.
23/01/2013 17:17:56   If this yields undesired behavior (poor response, painting
23/01/2013 17:17:56   errors, etc) it may be disabled:
23/01/2013 17:17:56    - use '-nowf' to disable wireframing completely.
23/01/2013 17:17:56    - use '-nowcr' to disable the Copy Rectangle after the
23/01/2013 17:17:56      moved window is released in the new position.
23/01/2013 17:17:56   Also see the -help entry for tuning parameters.
23/01/2013 17:17:56   You can press 3 Alt_L's (Left "Alt" key) in a row to
23/01/2013 17:17:56   repaint the screen, also see the -fixscreen option for
23/01/2013 17:17:56   periodic repaints.
23/01/2013 17:17:56
23/01/2013 17:17:56 XFIXES available on display, resetting cursor mode
23/01/2013 17:17:56   to: '-cursor most'.
23/01/2013 17:17:56   to disable this behavior use: '-cursor arrow'
23/01/2013 17:17:56   or '-noxfixes'.
23/01/2013 17:17:56 using XFIXES for cursor drawing.
23/01/2013 17:17:56 GrabServer control via XTEST.
23/01/2013 17:17:56
23/01/2013 17:17:56 Scroll Detection: -scrollcopyrect mode is in effect to
23/01/2013 17:17:56   use RECORD extension to try to detect scrolling windows
23/01/2013 17:17:56   (induced by either user keystroke or mouse input).
23/01/2013 17:17:56   If this yields undesired behavior (poor response, painting
23/01/2013 17:17:56   errors, etc) it may be disabled via: '-noscr'
23/01/2013 17:17:56   Also see the -help entry for tuning parameters.
23/01/2013 17:17:56   You can press 3 Alt_L's (Left "Alt" key) in a row to
23/01/2013 17:17:56   repaint the screen, also see the -fixscreen option for
23/01/2013 17:17:56   periodic repaints.
23/01/2013 17:17:56
23/01/2013 17:17:56 XKEYBOARD: number of keysyms per keycode 6 is greater
23/01/2013 17:17:56   than 4 and 2 keysyms are mapped above 4.
23/01/2013 17:17:56   Automatically switching to -xkb mode.
23/01/2013 17:17:56   If this makes the key mapping worse you can
23/01/2013 17:17:56   disable it with the "-noxkb" option.
23/01/2013 17:17:56   Also, remember "-remap DEAD" for accenting characters.
23/01/2013 17:17:56
23/01/2013 17:17:56 X FBPM extension not supported.
23/01/2013 17:17:56 X display is not capable of DPMS.
23/01/2013 17:17:56 --------------------------------------------------------
23/01/2013 17:17:56
23/01/2013 17:17:56 Default visual ID: 0x21
23/01/2013 17:17:56 Read initial data from X display into framebuffer.
23/01/2013 17:17:56 initialize_screen: fb_depth/fb_bpp/fb_Bpl 24/32/4096
23/01/2013 17:17:56
23/01/2013 17:17:56 X display :0.0 is 32bpp depth=24 true color
23/01/2013 17:17:56
23/01/2013 17:17:56 Autoprobing TCP port
23/01/2013 17:17:56 Failure autoprobing: Permission denied
23/01/2013 17:17:56 listen6: bind: Permission denied
23/01/2013 17:17:56 Not listening on IPv6 interface.
23/01/2013 17:17:56 Xinerama: Library libXinerama is not available to determine
23/01/2013 17:17:56 Xinerama: the head geometries, consider using -blackout
23/01/2013 17:17:56 Xinerama: if the screen is non-rectangular.
23/01/2013 17:17:56 fb read rate: 464 MB/sec
23/01/2013 17:17:56 fast read: reset -wait  ms to: 10
23/01/2013 17:17:56 fast read: reset -defer ms to: 10
23/01/2013 17:17:56 The X server says there are 24 mouse buttons.
23/01/2013 17:17:56 Error: could not obtain listening port.
23/01/2013 17:17:56 deleted 32 tile_row polling images.ca


Expected results:
23/01/2013 16:02:40 passing arg to libvncserver: -rfbauth
23/01/2013 16:02:40 passing arg to libvncserver: /etc/x11vnc.passwd
23/01/2013 16:02:40 x11vnc version: 0.9.13 lastmod: 2011-08-10  pid: 1859
23/01/2013 16:02:40 Using X display :0
23/01/2013 16:02:40 rootwin: 0x102 reswin: 0x400001 dpy: 0x1ae6240
23/01/2013 16:02:40
23/01/2013 16:02:40 ------------------ USEFUL INFORMATION ------------------
23/01/2013 16:02:40
23/01/2013 16:02:40 Wireframing: -wireframe mode is in effect for window moves.
23/01/2013 16:02:40   If this yields undesired behavior (poor response, painting
23/01/2013 16:02:40   errors, etc) it may be disabled:
23/01/2013 16:02:40    - use '-nowf' to disable wireframing completely.
23/01/2013 16:02:40    - use '-nowcr' to disable the Copy Rectangle after the
23/01/2013 16:02:40      moved window is released in the new position.
23/01/2013 16:02:40   Also see the -help entry for tuning parameters.
23/01/2013 16:02:40   You can press 3 Alt_L's (Left "Alt" key) in a row to
23/01/2013 16:02:40   repaint the screen, also see the -fixscreen option for
23/01/2013 16:02:40   periodic repaints.
23/01/2013 16:02:40
23/01/2013 16:02:40 XFIXES available on display, resetting cursor mode
23/01/2013 16:02:40   to: '-cursor most'.
23/01/2013 16:02:40   to disable this behavior use: '-cursor arrow'
23/01/2013 16:02:40   or '-noxfixes'.
23/01/2013 16:02:40 using XFIXES for cursor drawing.
23/01/2013 16:02:40 GrabServer control via XTEST.
23/01/2013 16:02:40
23/01/2013 16:02:40 Scroll Detection: -scrollcopyrect mode is in effect to
23/01/2013 16:02:40   use RECORD extension to try to detect scrolling windows
23/01/2013 16:02:40   (induced by either user keystroke or mouse input).
23/01/2013 16:02:40   If this yields undesired behavior (poor response, painting
23/01/2013 16:02:40   errors, etc) it may be disabled via: '-noscr'
23/01/2013 16:02:40   Also see the -help entry for tuning parameters.
23/01/2013 16:02:40   You can press 3 Alt_L's (Left "Alt" key) in a row to
23/01/2013 16:02:40   repaint the screen, also see the -fixscreen option for
23/01/2013 16:02:40   periodic repaints.
23/01/2013 16:02:40
23/01/2013 16:02:40 XKEYBOARD: number of keysyms per keycode 6 is greater
23/01/2013 16:02:40   than 4 and 2 keysyms are mapped above 4.
23/01/2013 16:02:40   Automatically switching to -xkb mode.
23/01/2013 16:02:40   If this makes the key mapping worse you can
23/01/2013 16:02:40   disable it with the "-noxkb" option.
23/01/2013 16:02:40   Also, remember "-remap DEAD" for accenting characters.
23/01/2013 16:02:40
23/01/2013 16:02:40 X FBPM extension not supported.
23/01/2013 16:02:40 X display is not capable of DPMS.
23/01/2013 16:02:40 --------------------------------------------------------
23/01/2013 16:02:40
23/01/2013 16:02:40 Default visual ID: 0x21
23/01/2013 16:02:40 Read initial data from X display into framebuffer.
23/01/2013 16:02:40 initialize_screen: fb_depth/fb_bpp/fb_Bpl 24/32/4096
23/01/2013 16:02:40
23/01/2013 16:02:40 X display :0.0 is 32bpp depth=24 true color
23/01/2013 16:02:40
23/01/2013 16:02:40 Autoprobing TCP port
23/01/2013 16:02:40 Autoprobing selected port 5900
23/01/2013 16:02:40 Listening also on IPv6 port 5900 (socket 10)
23/01/2013 16:02:40 Xinerama: Library libXinerama is not available to determine
23/01/2013 16:02:40 Xinerama: the head geometries, consider using -blackout
23/01/2013 16:02:40 Xinerama: if the screen is non-rectangular.
23/01/2013 16:02:40 fb read rate: 472 MB/sec
23/01/2013 16:02:40 fast read: reset -wait  ms to: 10
23/01/2013 16:02:40 fast read: reset -defer ms to: 10
23/01/2013 16:02:40 The X server says there are 24 mouse buttons.
23/01/2013 16:02:40 screen setup finished.
23/01/2013 16:02:40

The VNC desktop is:      volvo:0

******************************************************************************
Have you tried the x11vnc '-ncache' VNC client-side pixel caching feature yet?

The scheme stores pixel data offscreen on the VNC viewer side for faster
retrieval.  It should work with any VNC viewer.  Try it by running:

    x11vnc -ncache 10 ...

One can also add -ncache_cr for smooth 'copyrect' window motion.
More info: http://www.karlrunge.com/x11vnc/faq.html#faq-client-caching



Additional info:
The problem seems to be that SElinux is blocking the connectiopn from the xdm_t type process to the vnc_port_t port.  The local policy below fixes the problem.

module locx11vnc 1.1;

require {
	type admin_home_t;
	type vnc_port_t;
	type xdm_t;
	class file { rename write setattr read create open };
	class tcp_socket { name_connect name_bind};
}

#============= xdm_t ==============
#!!!! The source type 'xdm_t' can write to a 'file' of the following types:
# faillog_t, xdm_tmp_t, xdm_log_t, gnome_home_type, pam_var_run_t, xdm_var_lib_t, xdm_var_run_t, etc_runtime_t, pcscd_var_run_t, gconf_home_t, xkb_var_lib_t, xdm_rw_etc_t, xdm_home_t, xdm_lock_t, pam_var_console_t, cgroup_t, locale_t, var_auth_t, user_fonts_t, user_tmpfs_t, xdm_spool_t, fonts_cache_t, user_tmp_t, xauth_home_t, auth_cache_t, xdm_tmpfs_t, xserver_log_t, krb5_host_rcache_t, nfs_t, user_home_t


allow xdm_t admin_home_t:file { rename write setattr read create open };
allow xdm_t vnc_port_t:tcp_socket { name_connect name_bind };

Comment 2 Miroslav Grepl 2013-01-24 07:29:42 UTC
Could you try to execute

# chcon -t xserver_exec_t /usr/local/bin/x11vnc

and re-test it? Thank you.

Comment 3 Stuart Newman 2013-01-24 13:18:52 UTC
That worked.

Comment 4 Miroslav Grepl 2013-01-30 08:48:11 UTC
Thank you for testing.

Comment 12 errata-xmlrpc 2013-11-21 10:15:07 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html